p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs: Change the docs for PowerShell

This commit is contained in:
Ilija Lazoroski 2021-08-30 14:34:21 +02:00
parent e9ac64f108
commit e435894187
2 changed files with 36 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
docs/content/reference/exploiters/PowerShell.md Normal file
View File

@ -0,0 +1,36 @@
---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---
### Description
his exploiter uses brute-force to propagate to a victim through PowerShell Remoting using Windows Remote Management (WinRM).
More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1") and [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
### Implementation
The exploit brute forces the credentials of PSRP with every possible combination of username and password that
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).
#### Credentials list
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently
logged in. This means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:
1. Cached username and password; meaning that the client we use is going to take the stored credentials
from the system we are using to connect. In order for the user to connect without entering username and password
the victim must have enabled basic authentication, http and no encryption on the victim machine.
2. Cached password; brute-force with different usernames and stored password.
3. List of usernames and passwords set in the configuration.
#### Security considerations
The security concerns, recommendations and best practices when using PowerShell Remoting
can be found [here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).

57
docs/content/reference/exploiters/powershell.md
View File

@ -1,57 +0,0 @@
---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---
### Description
PowerShell Remoting is a brute-force exploit that uses PowerShell Remoting Protocol (PSRP) and
Windows Remote Management(WinRM) services to propagate to a victim.
### PowerShell Remoting Protocol
PowerShell Remoting Protocol uses Windows Remote Management service, which is Microsoft implementation of Web Services
for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers.
PowerShell Remoting and WinRM listens on the following ports:
1. HTTP: 5895
2. HTTPS: 5896
By default, PowerShell Remoting only allows connections from members of the Administrators group. Sessions are launched
under the user's context, so all operating system access controls applied to individual users and groups continue to apply
to them while connected over PowerShell Remoting.
On private networks, the default Windows Firewall rule for PowerShell Remoting accepts all connections. On public networks,
the default Windows Firewall rule allows PowerShell Remoting connections only from within the same subnet. You have to
explicitly change that rule to open PowerShell Remoting to all connections on a public network.
More on [PowerShell Remoting Protocol]("https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1").
### Windows Remote Management
Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object
Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different
vendors, to interoperate.
More on [Windows Remote Management]("https://docs.microsoft.com/en-us/windows/win32/winrm/portal").
### Implementation
The exploit brute forces the credentials of PSRP with every possible combination of username and password that
the user provides (see ["configuration"]({{< ref "/usage/configuration" >}})).
#### Credentials list
The PowerShell Remoting Client has ability to use the cached username or/and password from the system we are currently
log in. That means that the exploiter uses the following combination of credentials to propagate to the victim in the order written:
1. Username = None and Password = None; which means that the client we use is going to take the stored credentials
from the system we are using to connect. In order for the user to connect without entering username and password
the victim must have enabled basic authentication, http and no encryption on the victim machine.
2. Username list of usernames and Password = None; brute-force with different usernames and None as
password which means that we use the cached one from the system.
3. List of usernames and passwords as plain-text entered by the user.